This article applies to:

• NAC 3.x
• NAC 4.x

Question:

• How do I enable Authentication Auditing for Windows 2008?

Information:

Security Event Log

SSO uses Active Directory server event security logs to handle security events. For all Active Directory servers that provide SSO information, you must enable and configure the Security Event Log.

1. Launch the Event Viewer by selecting: Start > Control Panel > Administrator Tools > Event Viewer
2. Select the Security folder in the navigation tree.
3. Right-click the folder and then select Properties from the Actions menu.
4. Under the General tab, select the Overwrite when needed option.
   • NOTE: Over time, this log file will grow. For optimal performance, you should limit this log file to less than 5 MB in size. For more information, refer to the article titled “Backing Up and Clearing Event Logs.” This article discusses modifications that can back up and clear the log, and is available from the Microsoft TechNet site, at: http://www.microsoft.com/technet/scriptcenter/guide/sas_log_pcna.mspx.
5. Under the Filter tab, select the Security Audit Success option.
   • The security audit policy should also allow for auditing successful logon events. For information on enabling auditing of successful login events, refer to one of these articles available from the Microsoft Help and Support (KB) portal:
     • “How to enable and apply security auditing in Windows 2000” (http://support.microsoft.com/kb/300549)
     • “HOW TO: Audit Active Directory Objects in Windows Server 2003” (http://support.microsoft.com/kb/814595/en-us)
6. Click OK to apply the changes and close the dialog.

Event Log Access Account

Each AC Portal requires an account that has access to the security log. While you can use an administrator-level account, you may prefer to create an observer account, which has fewer privileges. You can configure an observer account for the domain policy or the local (domain controller) policy. Trustwave recommends configuring the account for the root level domain policy so that the account will be replicated across all domain controllers in the AD forest.

To create an observer account for the domain policy, follow these steps:

1. Launch the Active Directory Users and Computers dialog. To do this, select: Start > Control Panel > Administrative Tools > Active Directory Users and Computers
2. Select the Users folder in the navigation tree.
3. Right-click the folder, and then select New > User.
4. Complete the dialog to create the Trustwave NAC ACM user, and then click OK.
   • When setting up the Trustwave NAC ACM user, you will select a login and password. Remember these for use later; you will need this information when configuring the SSO through an AC Portal. Do not use any of the following characters in the password:  [ ]( ){ } - + * . ^ $ ? | \ # @ !
5. Launch the Domain Controller Security Policy dialog. To do this, select: Start > Control Panel > Administrative Tools > Domain Controller Security Policy
6. Open the User Rights Assessment view. To do this, select: Security Settings > Local Policies > User Rights Assessment
7. Right-click the policy named Manage auditing and security log, and then select Properties.
8. Add the newly created Trustwave NAC ACM user (Step 4), and then click OK.
9. Refresh the domain policy. To do this, run the following command from a command prompt: 
   
   gpupdate.exe